USPS – the United States Postal Service is an independent agency of the executive branch of the United States federal government, responsible for providing postal service in the United States, including its insular areas and associated states. USPS, as well as other shipping services such as DHL, UPS, FedEx, are common targets for phishing and impersonation attacks, and lately, due to the major growth in online shopping and deliveries, we are seeing an increase in not only the numbers of these attacks but also the level of sophistication.
In this campaign, the attacker is using various techniques to steal people’s credit card numbers by sending phishing emails related to deliveries from national postal systems. The emails try to lead users to phishing websites that capture their credit information. This is a widespread attempt that affects at least 26 countries, including the United States, Switzerland, China, Japan, and Singapore. There have already been reports about this campaign in the Hong Kong press and the United States.
In order to help the public and raise awareness, we decided to post about this spoofing attempt through a comprehensive blog that contains screenshots and recommendations.
In the attacks that were recently detected and intercepted by our platform, it appears that the attacker chose to impersonate USPS and distribute a notice of a failed delivery. As you can see below, the commonality is that the display name is changed to US Postal Service but the emails were sent from domains that do not belong to the company such as “magneta.de”, “healmylifeenergy.com”, “servicesinforeviews.com”
The user receives an email that looks very legitimate and contains the USPS company logo.
The attacker designed the email to prompt action and entice the user to click the “View Details” button.
Clicking the “View Details” button led us to a web application with the same design as the actual USPS website.
The attacker spoofed USPS website (www.usps.com) and leverages a similar domain that is quite misleading and easily missed www.tools-usps.com.
After clicking the button, we were led to the “index.html” page, or to a captcha that is designed to create legitimacy in the eyes of the users.
The page is seemingly a legitimate USPS page that asks to verify the delivery address. The attacker has also added validations to the format of the input, which increases the level of reliability.
At first glance, the website seems legitimate, but if we take a deeper look we will notice the following details:
This is in contrast with the real USPS domain which belongs to the company and was created at 1997:
In comparison to:
After filling in the requested details on the previous page, we were led to a page which asks for credit card details.
Similar to the previous page, there were validations for the correctness of the input but we were able to continue with fake details.
After filling in the details, they are sent to the attacker, followed by the display of additional pages that were created only to increase the perceived reliability.
After clicking on “Continue” on the previous page – we were taken to a page which pops up a loading gif and a couple of seconds later it redirected us automatically to a OTP (one-time-password) page.
The only purpose for the above pages is to increase the reliability of the attack in the eyes of the user, after gaining his credit card details. Of course, the OTP (one-time password) is fake and no SMS was ever sent to us. We tried to continue by filling a fake one and were led to another page asking to re-enter the OTP:
Clicking on “Get Another Text” returned us to the previous page to start the process again.We went back to the re enter OTP page, and filled in a fake OTP again. Next, it led us to a confirmation page, which is the last page of the attack which says that the payment was completed successfully and the shipment address was updated.
After a couple of seconds, we were redirected automatically to the official USPS website.